Threats to Data… and why this matters Richard Henson Worcester Business School [email protected]...
-
Upload
horace-nelson -
Category
Documents
-
view
218 -
download
0
Transcript of Threats to Data… and why this matters Richard Henson Worcester Business School [email protected]...
Threats to Data… and why this matters
Richard Henson
Worcester Business School
January 2015
By the end of this session you should be able to:
Explain the meanings of some regularly used security terms
Relate the process of logging on to file, folder, hardware, service access
Explain how management of access for many users on a network can be simplified
Explain why even small organisations are being targeted by hackers
Computers and Organisations
Handling data and services is completely different ball game to the PC at home or possibly on a small home peer-peer network
After people, information is the most important thing an organisation has… nowadays most of that information is held
on computer it therefore needs to be protected!!!
Some Information Security Acronyms
CIA Confidentiality, Integrity, Availability
PAIN Privacy, Authentication/Availability, Integrity,
Non-repudiation AAA
Authentication, Authorisation, Accounting
Why do an organisation’s computers need security?
Privacy: some data must (by law) be kept private personal data financial transaction data commercially sensitive data
That data MUST be stored in a safe place!!! preferably underground in a bomb-proof
container… cost???
usual compromise is a securely locked room access only via computer network
Alternative… The Cloud
Use a third party to look after the data for you, via the Internet
No longer need a secure facility… Someone else doing that for you
Problem(s)?
Why bother with security?
Integrity: data must not be modified improperly fraud: adding large numbers to your bank balance employee error: accidentally typing in the wrong
number of noughts… Means that important data needs to be backed
up preferably off-site (another Cloud?) also good practice in case something happened to
that securely locked room
Why do an organisation’s computers need security?
Accessibility: data must be there otherwise they can’t do their job, or do
their studying… BUT just for those who need it
prevention of deletion and/or corruption of something private, confidential, or just plain important…
Threats to Computers
Hackers Try to gain access to computers, either ‘for fun’ or for
illicit financial gain Cyberterrorists
Try to gain access to computers for political or commercial reasons
Disgruntled Employees Revenge on the company
Accidents & employee error power failure, lack of concentration, etc.
Computer Security Basics
Rule Number 1: Don’t let anyone near your computer(s) includes tablets & smartphones…
This was easy when the only computers were the size of a large room… the desktop computer revolution was based
on convenience NOT security
Security: The Basics
Rule Number 2: Don’t let anyone have access to any more of your information than they need…
can be difficult to protect a local computer much easier to protect on a network server
(or in the cloud)
Managing Rule #1
Keep computers in locked rooms or boxes If people can’t get physical contact, it is much
more difficult to get at the information Keep network hardware locked away as well
access to a network means access to all the computers on that network
this means that security is more difficult on a wireless network
Managing Rule #2
Passwords for logins enforce regular changes
Restrict access to folders and files as appropriate
Encrypt messages, especially those sent over wireless connections
Importance of Logging On
Generally associated with client-server systems
Principles should be used on individual computers
E.g. Microsoft Windows… peer-peer networks use single system logon
management of file security is local client-server networks called domains
management of local file security can be either local or remote
Managing Logging On
Microsoft tries to take a flexible approach log on locally or (if available) log on to domain
Either way, user access needs to be managed so: Everyone can access what they need to access People can’t see what they shouldn’t see…
What about Apple? What about Linux?
“Groups” of Users
For ease of user management, access to resources, files, services controlled through groups that the user belongs to: “Administrators” group gives maximum access “Users” group gives limited access Other default groups between these extremes
New groups can be defined by local machine/domain administrators
Creating a Local Windows User
New users set up using a wizard only available to users with local sufficient
privileges
Account created on local machine data associated with that account held on
local machine…
Domain Users
Account created on a domain controller account details kept in domain database
should be replicated between all domain controllers
User Manager displays user accounts: Local computer - list of existing local
accounts Domain controller – list of existing domain
accounts
User groups available by default:
Tries to anticipate general network needs e.g. on a Domain…
Administrators, Printer Operators Server Operator, Backup Operator Users, etc…
Rule: don’t give a user any more rights than they actually need
Domain Controllers – Serving the Domain Servers that authenticate users…
Each Domain Controller should have a copy of the domain user management (SAM) database: each must be able to log on and log off any user SAM databases on domain controllers need to be
regularly synchronised User profiles normally kept on one domain
controller, and backed up to another for fault tolerance
User profiles
Stores user information when they log off Local machine:
Local profile data stored securely on local machine, and retrieved next time user logs on
Domain Controller: Domain profile data stored securely on domain
controller, and retrieved next time user logs on
Types of Domain Profile Two types:
roaming profiles mandatory profiles
When user successfully logged on: copy of profile sent from domain controller to local
workstation profile stored locally on C drive in a secure folder
When user logs off: copy of locally stored profile sent back to server existing server profile overwritten Locally stored profile deleted
Mandatory v Roaming Domain Profiles
Mandatory Profiles: keeps a common desktop for all user settings lost when user logs out
Roaming Profiles: user settings not lost when user logs out Next time user logs on (perhaps at a different
machine) user gets the same desktop as when they logged out
System Profiles
Similar principle to network user profiles, but settings apply to individual systems as opposed to individual users
As with network profiles, user desktop controlled by overwriting registry settings on the local system… (!?)
Windows File Systems (1)
FAT32 More efficient than NTFS for small partitions No file level security!!! (say no more…) Can only impose security remotely through
shares Mainly kept for backward compatibility
Windows 2000 File Systems (2) NTFS
File names up to 255 characters, not case sensitive
File and directory level security More efficient storage than FAT for partitions
>400Mb Good file compression Good recoverability, through transaction logging Automatic cluster remapping if a bad cluster is
identified Support for Apple-Mac files
Users, Groups, Security, and NTFS partitions
Any file or folder on an NTFS partition will have file permissions imposed
Typical permissions: No Access Read only Read and Execute Write Modify Ownership/Full Control
Much wider range of permissions available
Allocation of File Permissions By default, folders have “everyone”
access generally not a good idea! access according to group gives greater
control Group membership easily removed,
replaced by other groups e.g.: Administrators Backup Operators
Allocation of File Permissions
Folder permissions for a user will depend on their group membership … individual users can ALSO have their own unique
permissions GENERALLY not recommended
Files assume permissions & user rights of their folder users get file access depending on groups they have
been allocated to as with folders, individual users can be given unique file
access settings
Local, Domain Groups and File Permissions
For local login local users
allocated to local groups allocated to domain groups
For domain login: Domain users
allocated to local groups allocated to domain groups
Combining Permissions Individual users may be allocated to a
number of groups For any folder, the permissions given to
those groups may be different Their permissions to a folder when
logged on are always based on an “addition” of all group permissions for that user. Great CARE required!
Combining Permissions
Example of the principle of “addition”: Fred is a member of the groups PRINT
OPERATORS and USERS Users has READ access to folder
ACCOUNTS Print Operators has CHANGE access to
same folder Fred therefore has…………… CHANGE
access to ACCOUNTS
Inheritance and Permissions
By default, any created subfolder will have the same permissions as the parent folder
However, the user that created the subfolder will have OWNERSHIP This prevents other users deleting files or
otherwise interfering without the owner’s granted permission
Both OWNERSHIP and INHERITANCE can be overridden by users with sufficient (administrative) privileges
Move on 15 years…
Everyone using the Internet & World wide web goes even further through web 2.0 (Social
Media) Businesses share data/apps with partners
for “business reasons” Vast amounts of data can be stored on
portable devices…
The Hyperconnected World
High Level Threat: The Reality
UKcritical
infrastructurehackerXX
Internet…(900 million Gateways!)
Known for some years…
In April 2009, hackers accessed data concerning technical details of a US govt fighter jet via networks with supply chain partners http://www.nextgov.com/nextgov/ng_20090421_4305.
php
Conclusion (US gov): “…there needs to be a new-order requirement on companies doing business with the federal government.”
If this could happen in the US… UK’s critical infrastructure is potentially
under threat… from its business partners!
SMEs often don’t even know they’ve been hacked… why not? what should they do? what do they do? which laws will have been broken?
But why would hackers go after individuals?
Nosy?
Data may be worth something?
Provide gateways to other users/systems?
Introduce keyloggers, webbots, etc to seize control of many computers for DDoS attack http://www.deloitte.co.uk/ers/cyber/companies.htm
Jobs in Networks and Security
Huge misconceptions about IT jobs
This is your most important URL for all IT jobs… http://itjobswatch.co.uk